On my local development machine, i am developing a .NET app with the AWS SDK to use a particular service.
In order for the app to communicate with AWS, i first run the AWS CLI with a particular IAM user that has been set up prior.
By default, this IAM user which is set up for this purpose has a 1 hour expiry. Meaning that after one hour of running the aws configure SSO
command it will stop working.
Eventually i wish to deploy the app for use on a web server that is outside Amazon’s environment. I imagine this involves installing the AWS CLI and running the same command initially. But what i dont want to happen is for the session to ever expire. Otherwise a human would have to manually remote into the server run the command and validate the MFA code and so on.
I cannot find any information online on how to set up a permanent AWS connection (whether the session refreshes automatically or the original one persists is of no matter). The only resources i can find relate to "long term credentials" but the documentation suggests this is bad practice.
So how does one do this in real life? How can AWS CLI be configured to always run on a server without having to worry about session expiry?
2
Answers
Use IAM Roles to provide secure AWS access on non-AWS systems. If IAM Roles are not an option, save credentials in AWS Secrets Manager or Parameter Store and change them on a regularly.
Useful links:
IAM Roles
AWS Secrets Manager
AWS Systems Manager Parameter Store
From What is AWS Identity and Access Management Roles Anywhere? – IAM Roles Anywhere: